From 2bae5daf16d4466185fac89539d653b269a3ea01 Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Mon, 29 Jun 2020 15:40:40 +0200 Subject: pam_namespace, pam_mkhomedir: fix unlikely descriptor leaks on error path [ldv: rewrote commit message] * modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just opened file descriptor "srcfd" in an unlikely case when it cannot be fstat'ed. * modules/pam_namespace/pam_namespace.c (create_instance): Close just opened file descriptor "fd" in an unlikely case when it cannot be fstat'ed. --- modules/pam_namespace/pam_namespace.c | 1 + 1 file changed, 1 insertion(+) (limited to 'modules/pam_namespace/pam_namespace.c') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 63b5c665..57b322fe 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -1488,6 +1488,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * if (fstat(fd, &newstatbuf) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", ipath); + close(fd); rmdir(ipath); return PAM_SESSION_ERR; } -- cgit v1.2.3 From 3f5fbf9cee564ad05ff35019dd1000598a6ed075 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 27 Jul 2020 20:03:00 +0200 Subject: pam_namespace: replace deprecated security_context_t libselinux 3.1 deprecated the typedef security_context_t. Use the underlaying type. --- modules/pam_namespace/pam_namespace.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'modules/pam_namespace/pam_namespace.c') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 57b322fe..08e3097c 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -797,11 +797,11 @@ static char *md5hash(const char *instname, struct instance_data *idata) #ifdef WITH_SELINUX static int form_context(const struct polydir_s *polyptr, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) { int rc = PAM_SUCCESS; - security_context_t scon = NULL; + char *scon = NULL; security_class_t tclass; /* @@ -910,7 +910,7 @@ static int form_context(const struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int poly_name(const struct polydir_s *polyptr, char **i_name, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) #else static int poly_name(const struct polydir_s *polyptr, char **i_name, @@ -921,7 +921,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, char *hash = NULL; enum polymethod pm; #ifdef WITH_SELINUX - security_context_t rawcon = NULL; + char *rawcon = NULL; #endif *i_name = NULL; @@ -1318,7 +1318,7 @@ static int create_polydir(struct polydir_s *polyptr, mode_t mode; int rc; #ifdef WITH_SELINUX - security_context_t dircon, oldcon = NULL; + char *dircon, *oldcon = NULL; #endif const char *dir = polyptr->dir; uid_t uid; @@ -1413,7 +1413,7 @@ static int create_polydir(struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, - security_context_t icontext, security_context_t ocontext, + const char *icontext, const char *ocontext, struct instance_data *idata) #else static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, @@ -1531,7 +1531,7 @@ static int ns_setup(struct polydir_s *polyptr, char *instname = NULL; struct stat statbuf; #ifdef WITH_SELINUX - security_context_t instcontext = NULL, origcontext = NULL; + char *instcontext = NULL, *origcontext = NULL; #endif if (idata->flags & PAMNS_DEBUG) @@ -1966,7 +1966,7 @@ static int orig_namespace(struct instance_data *idata) */ static int ctxt_based_inst_needed(void) { - security_context_t scon = NULL; + char *scon = NULL; int rc = 0; rc = getexeccon(&scon); -- cgit v1.2.3 From 31682cd25f7add493216e9bca5d33adab617386a Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 27 Jul 2020 20:16:20 +0200 Subject: pam_namespace: replace deprecated matchpathcon The matchpathcon family is deprecated. Use the selabel family. --- modules/pam_namespace/pam_namespace.c | 34 +++++++++++++++++++++------------- modules/pam_namespace/pam_namespace.h | 1 + 2 files changed, 22 insertions(+), 13 deletions(-) (limited to 'modules/pam_namespace/pam_namespace.c') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 08e3097c..94a2223a 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -1319,6 +1319,7 @@ static int create_polydir(struct polydir_s *polyptr, int rc; #ifdef WITH_SELINUX char *dircon, *oldcon = NULL; + struct selabel_handle *label_handle; #endif const char *dir = polyptr->dir; uid_t uid; @@ -1332,20 +1333,27 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { getfscreatecon(&oldcon); - rc = matchpathcon(dir, S_IFDIR, &dircon); - if (rc) { - pam_syslog(idata->pamh, LOG_NOTICE, - "Unable to get default context for directory %s, check your policy: %m", dir); - } else { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Polydir %s context: %s", dir, (char *)dircon); - if (setfscreatecon(dircon) != 0) + + label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_handle) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to initialize SELinux labeling handle: %m"); + } else { + rc = selabel_lookup_raw(label_handle, &dircon, dir, S_IFDIR); + if (rc) { pam_syslog(idata->pamh, LOG_NOTICE, - "Error setting context for directory %s: %m", dir); - freecon(dircon); - } - matchpathcon_fini(); + "Unable to get default context for directory %s, check your policy: %m", dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir %s context: %s", dir, dircon); + if (setfscreatecon_raw(dircon) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error setting context for directory %s: %m", dir); + freecon(dircon); + } + selabel_close(label_handle); + } } #endif diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 3a1e4ba3..b51f2841 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -68,6 +68,7 @@ #include #include #include +#include #endif #ifndef CLONE_NEWNS -- cgit v1.2.3 From 5bd6274e97f14bb531e04d581c6169bc94afaa43 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 3 Aug 2020 20:25:23 +0200 Subject: pam_namespace: skip context translation These retrieved contexts are just passed to libselinux functions and not printed or otherwise made available to the outside, so a context translation to human readable MCS/MLS labels is not needed. (see man:setrans.conf(5)) --- modules/pam_namespace/pam_namespace.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'modules/pam_namespace/pam_namespace.c') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 94a2223a..f8ced1c3 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -1318,7 +1318,7 @@ static int create_polydir(struct polydir_s *polyptr, mode_t mode; int rc; #ifdef WITH_SELINUX - char *dircon, *oldcon = NULL; + char *dircon_raw, *oldcon_raw = NULL; struct selabel_handle *label_handle; #endif const char *dir = polyptr->dir; @@ -1332,25 +1332,25 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - getfscreatecon(&oldcon); + getfscreatecon_raw(&oldcon_raw); label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); if (!label_handle) { pam_syslog(idata->pamh, LOG_NOTICE, "Unable to initialize SELinux labeling handle: %m"); } else { - rc = selabel_lookup_raw(label_handle, &dircon, dir, S_IFDIR); + rc = selabel_lookup_raw(label_handle, &dircon_raw, dir, S_IFDIR); if (rc) { pam_syslog(idata->pamh, LOG_NOTICE, "Unable to get default context for directory %s, check your policy: %m", dir); } else { if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, - "Polydir %s context: %s", dir, dircon); - if (setfscreatecon_raw(dircon) != 0) + "Polydir %s context: %s", dir, dircon_raw); + if (setfscreatecon_raw(dircon_raw) != 0) pam_syslog(idata->pamh, LOG_NOTICE, "Error setting context for directory %s: %m", dir); - freecon(dircon); + freecon(dircon_raw); } selabel_close(label_handle); } @@ -1366,10 +1366,10 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - if (setfscreatecon(oldcon) != 0) + if (setfscreatecon_raw(oldcon_raw) != 0) pam_syslog(idata->pamh, LOG_NOTICE, "Error resetting fs create context: %m"); - freecon(oldcon); + freecon(oldcon_raw); } #endif -- cgit v1.2.3 From 5b30470ea3f441403c20f8ddc5a62a6db61bf7e3 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 7 Dec 2020 14:45:47 +0100 Subject: pam_namespace: check for string_to_security_class failure Check for the unlikely case string_to_security_class() does not find the associated SELinux security class. This will only happen if the loaded SELinux policy does not define the class "dir" (which no sane policy does) or querying the selinuxfs fails. Suggested by #309 --- modules/pam_namespace/pam_namespace.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'modules/pam_namespace/pam_namespace.c') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index f8ced1c3..4d4188d0 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -844,6 +844,12 @@ static int form_context(const struct polydir_s *polyptr, if (polyptr->method == CONTEXT) { tclass = string_to_security_class("dir"); + if (tclass == 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting dir security class"); + freecon(scon); + return PAM_SESSION_ERR; + } if (security_compute_member(scon, *origcon, tclass, i_context) < 0) { -- cgit v1.2.3